DDoS attacks, DNS cache poisoning keeping ISPs up at night

New data on the state of ISP security through 2008 suggests that companies are …

New survey data indicates shows an increase in the size and frequency of DDoS attacks, as well as a rise in more sophisticated attack methods. Virtually all of the ISPs that participated in the Arbor Networks survey indicated they were increasingly concerned about the possibility of DNS cache poisoning or other infrastructure weaknesses, but these fears aren't being communicated to law enforcement, even after an attack has taken place.

Arbor Networks has conducted this survey for several years, and includes year-on-year data when available. The survey covered 66 ISPs from around the world, and included tier 1 and tier 2 operators. Arbor also made an attempt to include a number of academic networks as well as government and wireless providers.

The report (PDF) packs a fair amount of information into 30 pages and, considering it was written by a security solutions provider, is remarkably light on the "buy our stuff" sales pitch that often accompanies these sorts of documents. The largest observed DDoS attack this year hit 40Gbps, up nearly double from 2007's 24Gbps record. The good news, according to Arbor, is that the majority of ISPs are now capable of detecting these attacks via commercial or open-source tools, and are capable of responding in ways that don't necessitate taking entire sections of their networks offline.

Asked to rank the threats that concerned them the most, the majority of ISPs chose bots and botnets (26 percent) with DNS cache poisoning jumping into second place at ~23 percent. Fear of bot/botnet attacks actually fell in 2008—in 2007, 29 percent of respondents chose this category as their #1 concern—partly due to significantly increased fears over BGP route hijacking. Earlier this year, Pakistan accidentally blocked access to YouTube worldwide when it attempted to prevent its own citizens from viewing the website. That incident apparently made a significant impression on ISPs; the possibility of further BGP route hijackings has raised the visibility of the issue.

Asked to rank the security activities that they believe consume the most operational resources, some 32 percent of ISPs blamed spam, with second place going to constant security events (scans, worms, updates, etc) at 27 percent. DDoS attacks ranked third, at 21 percent. Spam hadn't previously been a choice on the survey, but the authors of the Arbor Networks report were surprised to see it ranked first. The implication here is that even with the most up-to-date and advanced antispam tools, actually keeping one's network clear of the junk (or as clear as possible) still requires a large amount of human oversight. If we consider spam an "ongoing" problem (which it surely is), nearly 60 percent of a security staffs' time is spent keeping pace with whatever junk is flowing down the tubes on a day-to-day basis.

For all the problems facing ISPs today, current law enforcement options aren't seen as providing any sort of effective solution. The overwhelming majority of ISPs—nearly 60 percent—reported no attacks to law enforcement officials over 2008. When asked why, 29 percent of the ISPs surveyed responded that law enforcement has only limited capabilities to address the issue, 26 percent expected customers to report, 17 percent saw no point in reporting in the first place, and 29 percent listed "Other" as a reason. Asked whether or not law enforcement has the power/means to act, 21 percent of respondents answered "Yes," while 64 percent chose "No."

One last point of information I want to highlight is the presence (or absence) of dedicated security staff. The graph here, I think, speaks for itself.

Nearly 23 percent of the ISPs surveyed have no dedicated support staff (including nearly 50 percent of education/academic networks), while another eight percent indicated just one person was responsible for all facets of security. One can't help wondering the impact this has on the rate and speed at which malware propagates across the Net. At some 32 percent of the respondents, there's either no one guarding the door or just a single (undoubtedly overworked) guard who may spend most of his time putting out fires on-site as opposed to actually monitoring the network.

Conclusion

Combine the well-documented growth in attacks with the general lack of trust in law enforcement, and the recent trend towards community-organized take downs may be the
beginning of a long-term trend. Based on the data we've discussed here (there's considerably more in the paper itself) it seems clear that many organizations are near their
breaking strain. The explosion of botnet variants have caused major problems for security staff, the total number of botnet machines continues to grow, and ultimately,
there's only so many staff any company can afford to hire. The wheels of the justice system are deliberately designed to turn slowly, and as we've seen, an announced
injunction from the FTC doesn't have the same short-term impact as the ISP crackdowns on Atrivo and McColo.The desired long-term impacts have yet to occur, but there's data that suggests even a small rise in the cost-per-email of a spam campaign could be a significant deterrent.